SigmaHQ/rules/windows/process_creation/win_powershell_renamed_ps.yml

title: Renamed Powershell.exe
status: experimental
description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018)
references:
    - https://attack.mitre.org/techniques/T1086/
    - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/
tags:
    - attack.t1086
    - attack.execution
author: Tom Ueltschi (@c_APT_ure)
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description: Windows PowerShell
    exclusion_1:
        Image:
            - '*\powershell.exe'
            - '*\powershell_ise.exe'
    exclusion_2:
        Description: Windows PowerShell ISE
    condition: all of selection and not (1 of exclusion_*)
falsepositives:
    - penetration tests, red teaming
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Renamed Powershell.exe`
			`status: experimental`
			`description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018)`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://attack.mitre.org/techniques/T1086/`
			`- https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.t1086`
			`- attack.execution`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: Tom Ueltschi (@c_APT_ure)`
			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
			`Description: Windows PowerShell`
			`exclusion_1:`
			`Image:`
			`- '*\powershell.exe'`
			`- '*\powershell_ise.exe'`
			`exclusion_2:`
			`Description: Windows PowerShell ISE`
			`condition: all of selection and not (1 of exclusion_*)`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- penetration tests, red teaming`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`